ABSTRACT 


Authentication is a kind of System's services and resources verification, 
authorization as per requirements of the user .It also ensures that the controls over the 
system and its resources are not illegally obtained by any non-genuine users. Alphanumeric 
Passwords authentication system is one of the weakest mechanisms currently present with 
us. There are many scheme totally based on the encryptions and decryptions techniques 
end to end which has been developed to solve the problems of unauthorized access of 
system resources but none of them have been proven to be convenient and complex which 
can secure the system. It has been observed that previous methods are vulnerable to various 
kinds attack and they are neither user-friendly nor efficient. They are neither user-friendly 
nor efficient. In this Paper, we have developed a two algorithms for securing password 
over any channel either over secure or on unsecure channel even it is hacked or known by 
any person Even after getting users identifiers like ids and passwords he/she unable to 
authenticate him/herself and is totally based on time basically called 4D and one way 
hash function and another is for securing OTP and Reset code at client side. 
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CHAPTER 1: INTRODUCTION 


1.1. AUTHENTICATION 

Authentication is one of the critical component of many applications, hardware 
larger and small .It is very challenging task to implement the authentication system while 
choosing where to authentication is needed, what types of system is needed .It must be 
safely deployed. It is basically the act of creating the link between the system and the user 
over secure channel using a perfect identity of the user. The identity could be anything, 
numbers including; system, people, applications, and message etc. The basic reason to 
verify the identity are for the following reasons 1131 

• To assure that the piece of information is genuine. 

• To create a trust between the multiple parties to whom we interact digitally. 

• To get the control access to the system or the resources. 

• To get or to bind some sensitive data to an individual, such as encryption etc. 
There are various types of authentication technique like: 

• Cryptographic Authentication 

• Multi-Factor Authentication. 

• Single, basic factor Authentication. 

These above mention Authentication scheme can be apply on all types of entities that 
require authentication: Users, System, message. Application etc. 

Basic Authentication: It is very commonly used term that the most of the people probably 
understand already. It commonly called the password based authentication. Passwords is a 
kind of information that is used to verify the identity of the users. Some of the common 
examples that falls in this types are: 

• The common passwords. 

• Host or the system names. 

• Applications names. 

• Numerical IDs. 
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It entails the validation of the single credential’s pairs- user’s identity references and 
password authentication. This process typically receive the passwords and compare it with 
the stored data in the database. Following are the benefits of such types of scheme: 

• It is easy to manage. 

• It is easy to implements 

• It is easy for end user to use. 

There are some important points for every developers to be aware when using this scheme 
some of they are pointed below f141 

• Identifiers like ids and passwords are commonly weakly specified. 

• Identities might be spoofed and impersonated. 

• Passwords could be susceptible to theft. 

• It can be very difficult to scale up and scale down across the distributed computing 
environment 11 61 . 

The Basic authentication is often found to be transmitting of identifiers over a networks 
could be easily stolen and compromised. We have found some best ways to increase the 
strength of this scheme: 

• By using the digest authentication- Hash and encryption of the identifiers. 

• By using the pass phrases and set minimum lengths. 

• Force use of alpha numeric symbol passwords with special characters. 

• By not storing the passw ords in the plain text in the database. 

• Implementations of TLS/SSL security mechanism. 

Multi-Factors Authentication |2, 181 : It is kind of authentication that uses the combinations 
of the authentication methods to validate the identity and allocate the resource to the user. 
It works the most commonly used descriptions of that information which is known by the 
person, combined with the something in his or her possessions. These are typically: 

• The users name and the passwords. 

• Tokens 

As the security components are layered, the complexity of the system also rise and parts of 
these it provides the following additional benefits: 

• Easy to implements. 
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• Difficult to spoof or impersonate. 

Some the disadvantages of this types of scheme are: 

• Deployment can be difficult. 

• Token can easily be stolen. 

• The management of the scheme can be challenging and especially in the event of 
the lost or stolen of the tokens. 

Cryptographic Authentication 111 201 : By its name it is clear that it uses the mechanism of 
cryptography. This types of the technique provides the security in form loss of 
Confidentialities. Such typos of authentication scheme includes the following forms: 

• Public key Authentication: This types of authentication occurs when the owners of 
the key pairs try to communicate with the public keys to authenticate the third 
parties .there are some methods for public key authentication like the use of the 
public key itself and the public key certificates etc. 

• Digital signatures: It is a kind of puzzle cryptographic. Digital signatures is 
generated using the owner key pairs and it uses private key to sing the message. 
Further the signature can be verified only by the corresponding keys. 

• Message Authentication code: Tt uses the Mac .In this method, message 
authentication code is generated when secrete key is used to with the combinations 
of information which to be proved authentic. Hashing Algorithms or symmetric 
encryption is use to generate the MAC and MACs provide the integrity and 
authenticity. 

• Passwords combinations and permutations: 

In this Present Era, securing the private data, files, transections are the main task of 
the technology. But still they have been accessed by the intruders or any person who are 
not unauthorized to access them. Many system are been hacked easily due to lack of proper 
algorithms or loopholes in it. Authenticating is the way of conf inning the reality and truth 
of the person who is gaining access to secure data either over channel or any system. 
Therefore we can say that Authentication means actually confirming the identity of the 
person .In fact, authentication involves in verifying the validity of any form of the 
identification. The process of the authentication are basically divided into 3 categories and 
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arc based on what are known for the factors of authentication. And every authentication 
factors covers a wide range of elements which are used to authentication or verify the 
person reality and identity to grant the access and approve them for the transection request 
or accessing the secure data of the system. 

In previous password authentication scheme |12|,13,,14,|15 l, every user has an identifier 
(uscrjd) and a password (User pass word), when user wants to access the remote services 
he/she has to authenticate him/herself to the remote server, he/she has to fed his/her userjd 
and User ^password to the server. A light authentication method is to store and manage a 
password table including users Jd and users passwords in the remote database of the server. 
Upon getting user s id and Passwords, the remote server starts matching the user id and 
users password in the table. Once the user id and user password match the respective data 
it granted access to the server s facilities to the users. Since the user's password is not 
encrypted and is stored in the form of plain text in the table, this scheme is vulnerable. An 
intruder can imitate a legal user by robbing the user’s id and user password from the table. 
The big disadvantages of this approach is when any intruders intercepts the user id and 
password from the internet it can reply it later to login , this kind of attack is called reply 
attack . To avoid the identifiers table from being stolen by intruders, they are generally 
hashed or encrypted. But during the Transmission it could be stolen by wiretap or by any 
mean, if any person able to fetch the password he/she can easily get control over the system. 
Many Research has developed the way for the Positive authentication with three class of 
elements and are as follows: 

• The Knowledge Factors : Like Passwords. Pass Phrase or PIN. 

• The Ownership Factors : ID cards. Tokens. Cell Phone. 

• The Inherence Factorss Fingerprint, Retinal Patterns. DNA etc. 

To prevent such problems, One Time Password using one way hash function is 
developed. But later it has be observed that OTP is also not safe as they are vulnerable at 
client side, if any person get access to the OTP form the client it can easily initiate the 
authentication process and bypass the security layers easily. 
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1.2. FACTORS 

Tlie Authentication is based on basically 3 factors and dial are as follows: 

• Something’s that user has, 

• Something's that user knows and 

• Something’s the user is. 

In the very 1 st factor, authentication is done by help of any physical devices that an 
individual has. Device can be token or any smart cards. The person should use this 
device to the authorizing center to validate and access to the resources. In 2nd factor, 
authentication is done by the help of something that (he person knows like a password or a 
pass phrases. The person should fed the correct input password or phrase to access to the 
resources. In 3 rd factor, authentication done by help of the physical features of a persons 
like the fingerprint or the face etc. Nowadays. Basically the Text Based passwords are used 
for authenticating die user and it is little hard and huge to memorize for long time. Such 
types passwords are has also vulnerable to many attacks For example Dictionary Attack. 
Brute Force Attack and Password Guessing and Key loggers are the well know factor to 
get the text based password 16 231 . This is the main disadvantages of the text based 
passwords. Even Image based password are vulnerable to many attacks. If we are able to 
get the image of a person in any forms like hard copy of soft copy, we can access to his/her 
account easily. Similar case in Biometric |,e| ; like fingerprints. For instance, Apple has 
introduced the fingerprint passwords locks to its series of iPhones 5c and it was hacked. 
To Recover the such Damages and makes the authentication harder . the Researchers has 
developed the graphical based authentications .Since image based password are easy and 
competitively more light the text based passwords to memorize. The graphical based 
password schemes which currently exist that are divided into three group ,2,s| : 

• Recognition of pass-images. 

• Repeating actions in a sequential order. 

• Reproduce a particular drawing. 

But what if, the image is stole from the Database? Intruders again can easily authenticated 
and access to the resources. Perhaps all such techniques are not secure and assure the safety 
of the files, data, and transection over any channel. 
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1.3. TRADITIONAL AUTHENTICATION METHODS 


1.3.1. Text based authentication 

The password based authentication is the based on Text and it’s consist of either 
alphabet or alphanumeric character even a numbers too. Such types of keys are 
created at the time of registration .Further user can either reset it or change it. This 
is most the most common types of techniques used globally by the user or by any 
company. 

Loopholes 

The text based authentication can be broken by the following. 

Guessing Attack: A password guessing attack is a kind of attack or method of 
gaining unauthorized access to a computer system or its resource by using a 
computers and large of words. In this type of attack intruders try to guess the 
passwords randomly. It is one of the weakest types of known attack in the 
computer system. For each guess, the probability of getting the authorization is 
just 1 /total no of possible combinations of the digits. For example if any system 
using 4 digit passwords than there will be total 3844 possible combinations. For 
each type we guess the passwords, the probably of getting passwords is 
1/38 4 4. This attack is similar to Brute force attack but the main difference in 
both of them is that one is done manually and another w ith the help of computer 
system. Social engineering is also done the get the credentials of the users. 

1) Dictionary attack: In cryptanalysis, a dictionary attack is one the most used 
technique for defeating a cipher or authentication mechanism by trying a 
various decryption key or passwords as much as possible. Such combination 
are listed and dictionary is formed and they cryptanalysis is done to get access 
to the system and its resources. We can get various types of software and tools 
for the same such as Brutus, Cain and Abel, Crack, Aircrack ngjohn the ripper, 
Airodump-ng.I.Ophtcrack , Matasploit project , Ophcrack etc. It is very much 
similar to Brute Force attack But the main difference between both of them is 
that one has finite list of possible combinations of passwords i.e. dictionary 
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attack and another has about to infinite list of possible passwords dictionary i.e. 
Brute Force Attack. 

2) Key logger Attack 1291 : Key Logger is often referred as key logging or capturing 
the keystroke of pressed keywords and recording the action Since the person 
using the keyboard is unaware about the attack and the mechanism of it and 
become the victims and his credentials are compromised. Such types of attack 
is are basically done to get the bank account details. Key loggers can also be 
used for understanding the human behaviors for the acoustic analysis is done. 
Key loggers can be Hypervisor Based, Kernel Based. API Based. From 
Grabbing Based, Memory Injection Based, Hardware Based etc. 

1.3.2. Token based authentication 

In the types of Authentication system, the system is based on the token or a smart 

cards The user has to provide the token to the access center for the Authentication. 

It is not as common as Text based authentication. 

Loopholes 

The Token based Authentication can be broken by the following. 

1) Man in the middle Attack: In cryptanalysis or cryptography, a Man in Middle 
attack is very common types attack. In this types of attack, intrudes possibly 
alters the communications and secretly capture the keys and alters the keys 
between the parties and pretends himself to be a genuine. The best example of 
Man in Middle attack is eavesdropping. There is a loss of confidentiality in this 
types of attack. TLS has been developed to avoid such kind of attack. 

2) Loss of Token: Security token may be a physical device like USB token or 
software generated token, virtual token etc. There are basically used for the 
authentication to the system. Security token are used to prove ones identity 
electronically. They store cryptographic keys such as digital signature or 
biometric data such as fingerprints minutiae etc. Some of them are design a 
tempered resistant and water proof while other may include small keypads to 
allow the entry of pin or simple bottoms to starts generation the routine with 
some display .Special design token may include USB connector or RFID 
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functions or Bluetooth wireless interface. In case if such security token are lost 
or cloned then it will create a big security loopholes. There are some 
vulnerabilities like loss and theft. Attacking. Breach of Codes etc. 

1.3.3. Biometric authentication. 

It uses the basic Human Natural Physical Features and such features don't change 
throughout the life time such as Fingerprints, retina etc. l18 ' 20j 291 .During the 
Registration such features arc fed into the database and further used for the 
verification and access the resources 135 ' 361 . 

Table 1 . 1 .Examples of Biometric. 


Biometric 

Acquisition Devices Sample 

Features 

Iris 

Infrared-Enable camera , Black and white iris 
Pc camera image 

Furrows and striations of 
iris 

Voice 

Microphone, telephone Voice Recording 

Frequency , Vocal 
patterns and cadence 

Signature 

Signature tablets. Image of signature 

Motion-sensitive Stylus and record of related 
dynamic 
measurement 

Stroke, speed, pressure 
and appearance of 
signature 

Face 

Image camera , PC Optical and thermal 
camera . video camera image of face 

Relative shape and 

position of nose . 
position of cheek bones 

Hand 

Proprietary Wall 3-D images of sides 

mounted unit and top of the hands 

Height and width of 
bones and joints present 
in the fingers 

Retina 

Proprietary desktop or Retina Image 
Wall mounted unit 

Blood vessels patterns 
and retina 
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Fingerprint 

Desktops peripherals Fingerprint image Location and direction 

device, Pc cards, Mouse (silicon , optical , ridge endings and 

chip or reader embedded ultrasound or touch bifurcations on 

in keyboard less) fingerprints, minutiae 


Loopholes 

The Biometric based Authentication cracked by the following: 

1) False-positive matches and false-negative matches: False positive is an error in 
data result in which a test result improperly indicate the presences of condition. 
While false negative is an error in which a test result improperly indicate no 
presences. 

2) Replay attack |231 : It is also known as playback attack. Packets are captured by 
the intruders in the middle of the transmission of data and resend by them to gain 
access or control over the system. Such types of attacks are very much famous 
in banking sectors. To avoid such types of attack Session tokens are used. We 
can also use hash function. Token session should be chosen by the help of 
random process. It is also called a pseudorandom process. One time Passwords 
can also prevent such types of attack |10 371 . 

3) Altering the biometric representation of features: Biometrics include all the 
hardware, software and interconnecting end to end which enable the biometric 
process. These days our face. iris. DNA Profile become digital file and these 
files becomes very difficult to protect. Recent studies on biometrics states that 
these files can easily be stolen without any great efforts It's easy to replace the 
swiped card and extract the data and identifies from the card I 34 30 . 35 . 3 e 1 

1.3.4. Graphical based authentication. 

It is a kind authentication system which works on the users selected images in a 

predefined order and is presented in the graphical user interface. For this reason 
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this approach is called graphical user authentication system. It is very much easier 
than the text based passwords system .It offers the better security then the text based 
password system. If there are 100 images passwords, there are about 100 8 possible 
combination and it could take about millions of years to break at the average delay 
of 0.1 sec. In this method, the graphics images are used since it is easy to remember 
the image then a plain text. Because of this reason this methods is competitively 
high demand in the market Due to this good features in the system, it ignores the 
cracking of the system by either brute force, dictionary or any key logger attack. 
Loopholes 

I) It is most difficult to hack the system that is protected by the system but if the 
database is hacked then it might increases the chances to access the data. 
Shoulder surfing attack is one the best known attack for the scheme. It is a kind 
of technique in which attacker observes someone shoulder to get the 
information. Shoulder surfing is an effective way to get the sensitive 
information in crowed place because it relatively easy to stands next to the 
someone and w atch as they fill the forms , pin of at an ATM machine or 
graphical pictures during the logging. 


1.4. SOME OF THE COMMON ATTACKS 16 7 23 24 


Table 1.2: Attack Summary 



Keystroke 

Confusion 


Masquerade as Obsolete 
someone else 


The is a bug that can 
be found in the 
software time 
sharing which allow 
a peculiar sequence 
of character to skip 
password checking 


Trojan horse It recovers the Most 

hidden information, innovative 


common. It pretends to be 
original script and 
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bypass along with 
the genuine 

software to the 
system 


Password Audit 

It also recovers the 
user passwords 

Common 

It review the audit of 
the records of users 
mistakes W'hile 

logging 

On-line password 
guessing 

It also recovers the 
user passwords 

Trivial 

Tty to guess the 
passwords. 

File theft of the 
passwords 

it recovers all the 
users passwords 

Obsolete 

Lack of high 
security in the 

database allow 

intruders to steal he 
files. 

Bogus password 
change 

It recovers user’s 
password 

Trivial 

Intruders convinces 
victim to change 
their passwords to a 
word selected by 
them 

Shoulder surfing 

It recovers user’s 
password 

Common 

Intruders w'atches a 
user passwords 

standing behind. 

Keystroke sniffing 

It recovers user’s 
password 

Common 

Software log the key 
pressed by the user. 

Trojan login 

It recovers user’s 
password 

Common 

It mimics the 
stander logging 

system. 
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1.5 ELEMENTS OF AN AUTHENTICATION SYSTEM 

We must considered die several elements: 

1. The 1 st elements include : Person, entity and principal which denotes the 
certain group of people. 

2. The 2 nd elements include : The different characteristics between certain people 
and groups. 

3. The 3 rd elements include : The administrator who manage the database and 
authorize and differentiate certain group or certain people from other people. 

4. The 4 th elements include : It act as magical device which could respond to 
words, numbers. 

5. The 5 th Elements include : The administrator grant the services if identity is 
verified and access the control mechanism. If the authentication process then users 
are not allowed to access the system or resources. 

Table 1.3. Example of the five elements in authentication system. 


Authentication Cave of the 60 Password Machine Web server 

element thieves Login (Teller) to client 


Person, Entity. Any person who Authorized Owner of any Web site to 

Principal knew the user bank account client 

credentials like 
password 

Distinguishing Password Secrete ATM card Certificate 

characteristic, "open, sesame” passwords and PIN with public 

authenticator n key 

tokens. 
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Owners. 

The 60 thieves 

Enterprise 

Bank 

Certificate 

Administrator, 


owing 


authority 

System owner 


system 



Authentication 

Device(Magical) 

Validation 

Validation 

Validation 

Mechanism 

which respond to 

software for 

software for 

software for 


the words 

passwords 

card 

certificates 

Authentication 

Cave of 60 

Password 

Teller 

Web server 

element 

thieves 

login 

Machine 

to client 


Process to roll the 

Login 

Allow 

Marks the 

Access control 

stone from in 

process 

transections 

page as 

mechanism 

front of the cave 

access 


secure 



control 


(Brower) 
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CHAPTER 2: REVIEW OF LITERATURES 


2.1 LITERATURES SURVEY 

The literature review is one the basic and compulsory task which serve as the base of 
the research. During this phase article, published papers, books, news, newspapers from 
internet and internal document of any related thesis regarding the same field has been 
analyzed. We can only two choice when we deals with the research approach; quantitative 
or qualitative. Both are equally importance but is basically based on the fundamental values 
on which the research are going to be conducted. The main goal of qualitative is to get the 
deeper and internal understanding of the existing problems and the situation. We have 
studied some papers and theirs descriptions are as described below. 

• 1-En Liao, Cheng-Chi Lee, and Min-Shiang Hwang. A password authentication Scheme 
over insecure networks. Journal of Computer and System Sciences 72 (2006), no.4727- 
740. |131 . 

In this paper, the basic technique of Authentication is discovered. Over unsecure 
networks for the smart card. 

1. The advantages of algorithms are as follows: 

2. Users can easily generate and modify their pass text 

3. The confirmation of the table or pass text database is not stored somewhere else. 

4. It has One time password seniority which gets changes for every transaction. 

5. The precaution is totally established on both properties i.e. hashing function and the 
discrete logarithm. 

6. There are the provision of the Mutual authentication between the server and the user. 
It can withstand w r ith reply and guessing attack. Table of verification of password is 
not stored in the database. 

Problems; Secretes key stored in the database. If the key is exposed the system can easily 
be destroyed. If the password is comprised, the system can be destroyed. If the OTP is 
compromised, the system can be destroyed. 
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• Dr. AnanthiShesashaayee, D. Sumathy Associate Professor & Head, Department of 
Computer Science, Quaid E Millalh Government College for Women, Chennai, Tamil 
Nadu, India Research Scholar, Department of Computer Science, Quaid E 
MillathGovemment College for Women, Chennai.Tamil Nadu. OTP Encryption 
Techniques in Mobile for Authentication and Transaction Security. India. iJIRCCE 
ISSN (2320- 9801.2320 9798) 2014 w . 

The proposed system developed to secure the OTP using Feistai Networks. 
Encryption and Decryption technique is used. Here the user PIN act as Key which is further 
required to decrypt the OTP. Here in the system again the threats exist. Again the problems 
is with the OTP. The system defined that the OTP is send to the user mobile or the email. 
But it doesn't deals with the solution if the cell phone is lost or stolen, the One Time 
Password can be misused by the attackers for the handling the transection or login in to the 
system. Pin is of 4 digit which can be cracked less than in a days with the latest super 
computer. 

• M Viju Prakash, P Alwin Infant, and S Jeya Shobana. Eliminating vulnerable attacks 
using one time password and pass text analytical study of blended schema. Universal 
Journal of Computer Science and Engineering Technology, 1(2):133-140, 2010. 171 

The Algorithms is explained below: 

1. The user verify himself to SP by the help of credentials which is known to SP. 

2. When the user needs to trigger his cell phone for the OTP accepter. SP forwards the 
user's gateway to SE in URL which have an activation request and a Secure Object. 

3. SE confirms the Secure Object which arrive from SP, and gets the cell phone details and 
number and might be other unique identification number 

4. It generates an activation code and send to the client system and an SMS to the cell 
phone demanding to start the client software. The cell phone pop up the client asking to 
fed the activation c ode, available on his PC, and transfer the code to SE. 

5. SE confirms the code which is same send to the PC, and ask for encryption and 
decryption of the code send to the mobile 

6. The client select a personal identification number (PIN) and fed it on the cell phone. And 
further the work is carried out. 
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Problems: This is also not a secure algorithms for the verification. Again the problems 
arise if the OTP is compromised or mobile is lost or the reset code that is send to the email 
is hacked. Each and every research deal with the mechanism for protecting the passwords 
in the physical layer , and presentation layer but none of the scheme deals to add the 
security features if passwords or OPT is compromised. 

• Brajesh Kumar Kushwaha . An approach for user authentication one time password 
(Numeric and graphical) scheme. Journal of Global Research in Computer Science, 3(1 1), 
2012. 131 

In this algorithms, the OTP and graphics pictures are used to validate the user and 
authorize the resources to the user. Here OTP is generated using Algorithms and Graphics 
are kept constants for the each phase. During the Audientication again the Opt is send to 
the mobile which is totally unsecure if compromised. 

Note: Here and every algorithms deals with generation of the OTP but none the papers 
deals with the protection and securing the OTP. hi each and every case, if the mobile is lost 
or stolen, it can create a huge problems for the genuine user. It is vulnerable to shoulder 
attack. People standing behind can easily see the graphical picture that user selects during 
the authentication. 

• Vaidya, Binod. Park, Jong Hyuk, Yeo, Sang-Soo & Rodrigues, Joel JPC (2011) [5]. 
Robust one-time password authentication scheme using smart card for home network 
environment. Computer Communications, 34, 326 336. 151 

Following problems exist with this prosed scheme: 

It has been seem that the proposed scheme required more computational cost. Inefficient if 
password is compromised. System can be destroyed No security measures taken at end user 
side.OTP is not secure at user side. 

• John G Brainard, Burton S Kaliski Jr. and Ronald L Rivest. Method and apparatus for 
Performing enhanced time-based authentication, April 22 2008. US Patent 7,363,494. 1101 

The deals with the mechanism for generating an authentication code combined with 
an entity, the steps as follow: 

1. Fetching a secret stored key combined w ith an entity. 
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2. Calculating a dynamic value related with a time interval. Recover a first generation 
value expressive of a number of previous authentication code which is developed at that 
time interval and then after PIN is received. Then after a new code is generated by the 
combinations of dynamic values. PIN and secrete code for a certain interval of time. 
Then second value is generated with to compare with the receipt of PIN. 

• Fabian Monrose. Michael K Reiter, and Susanne Wetzel. Password hardening based on 
keystroke dynamics. International Journal of Information Security, 1 (2) :69— 83, 2002. ,25] 

This paper represent the novel technique for improving the security of the passw ords. 
The papers basically deals with generation of patterns of user key stroke and further the 
key patterns is developed with the keys stroke of the user id and passwords From the 
patterns the hardened passwords is developed and stored. Further the used for the 
authentication to the system. During verification the keystroke and patterns are compared. 
The main problems associated with the scheme is that if the ids and passwords are 
compromised, after a little efforts we can easily verify our self to the system. 

• Ting Yi Chang, Cheng Jung Tsai, and Jyun-Hao Lin. A graphical based password 
keystroke dynamic authentication system for touch screen handheld mobile devices. 
Journal of Systems and Software, 85(5): 11 57-1 165, 20 12. 121 

This pafter proposes a new methods of graphical -based password KDA system. It 
deals with the pressure features and keystroke dynamics. The pressure of touch and typing 
patters and images is stored During the verification the user’s needs to apply the same 
pressure and type passwords within the same sequence on the touch screen and choose the 
respective image which he register at initial stage. It seems to be very complex. Here 
involves 3 tire phase which is little hard to memorize. 

• TongLiang Li and ZhiGang Jin. A new low cost one time id and password authentication 
protocol using popular removable storage devices. In 2009 Second International 
Conference on Intelligent Networks and Intelligent Systems, pages 2 13-2 16. IEEE, 
2009. |H| 

In this methods, plain text is not transferred over the network, by the use of hash 
function the data are protected at the both of the ends. The author deals with securing the 
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user and server from the most common attacks. Furthermore, the concept of random 
numbers are used and the server and the end user or client exchange two random numbers 
which is further use to generate a session id key after authentication. Different types of 
technique are used for generating the key this proposed scheme. By the help of the new 
proposed methods, the user can easily “memorize” a random number which is the part 
user’s and user’s password Thus is makes the scheme as a one-time ID and one-time 
password along with the protection of user identity. This scheme also support Mutual 
authentication, which makes the scheme with the ability of principal aliveness and message 
freshness. 

• Blake Ross. Collin Jackson. Nick Miyake, Dan Boneh. and John C Mitchell. Stronger 
Password authentication using browser extensions. Usenix security. Baltimore, MD, USA, 
2005, pp. 17-32. f171 

The Authors proposed an extension for browser, password hashing and develop 
methods to boost the password authentication on the web or at server side with minimum 
change to the user experience and no change to current configuration of the server. The 
main purpose of the paper discusses the direct types of challenges while deploying 
Password Hashing in a browser. Further, they discuss a methods to get rid of scripts attack 
on sites which are phished. Theirs scheme enables users to securely enter their credentials 
within the browser. 

• Francesco Bergadano. Daniele Gunetti. and Claudia Picardi. User authentication through 
keystroke dynamics. ACM Transactions on Information and System Security (TISSEC), 
5(4):367-397, 2002. ,26 » 

In this paper Authors present an actual measurement of the keystroke dynamic which 
bound the uncertainty of biometric feature. The have tested theirs technique on 154 
individuals and achieved the False Alarm Rate which is about 4% and the pretender Pass 
Rate which is less than 0.01%. Theirs execution is reached using the same sampling of 
keywords for each and every the entity and individual, by allowing error in typing . without 
any particular adaptation for the authentication system with respect to the available group 
of typing specimen and users, and collecting the samples on the 28.8-Kbaud of remote 
modem connection. They also identify the authentication problems via keystroke faced by 
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the user. They presented the dynamics technique of new keystroke analysis methods which 
help to solve various the problems associated with keystroke analysis: The chances of 
typing errors and the typing intrinsic are variability. An authentication system using the 
help of this scheme described in this article does not require any particular tuning, nor a 
learning training to work with a specific set of genuine users of the system. This tuning is 
possible, by increasing the strength of the system to authenticate genuine users and reject 
fraud. The text used in theirs experiments is too long which can be used for replacing the 
password based authentication system, meanwhile its length is admissible for other 
applications. 

• H.-M. Sun, An efficient remote use authentication scheme using smart cards. IEEE 
Trans. Consumer Electron.46 (4) (2000) 958-96 1. 1271 

They Proposed scheme which is fully based on the discrete logarithm mechanism, 
Hwaiig and Li 1281 suggested authentication for remote user using smart cards. In this paper, 
the author suggested a more efficient and more practical authentication scheme by using 
smart cards. The proposed scheme significantly minimized the communication and 
computation costs. Moreover, the password length in scheme is 64 bits which is very easy 
to memorize by the user. They also suggested the problems lies in Hwaiig and li scheme 
|28| .Once the problems of discrete logarithms is solved, Hwaiig and li scheme can be 
destroyed. 

• J K. Jan, Y.Y. Chen, ‘Paramita wisdom 1 password authentication scheme without 
Verification tables, J. Syst.Softw. 42 (1998) 45-57 1331 

They present the most efficient practical methods to unlock the problems related to 
the authentication with the help of public key and public key distribution. Users can able 
to change theirs password freely. The password length suggested in the scheme should be 
appropriate for memorization and the methods can be easily adopted in with change in the 
technology easily. The user doesn’t share theirs private key over networks. The scheme is 
totally based on the public key. The main problems lies in the scheme is with the password 
should of fixed length and once the user's credentials gets compromised the system can be 
destroyed. Buddha words of wisdom are the main concept used in this scheme in order to 
avoid compromisation of the credentials. 
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CHAPTER 3: PRESENT WORK 


3.1 SECURITY 

In general, security means the conditions of being protected against any loss or 
danger. It is basically similar to safety. The word security is synonymous with safety. 
Technically security means that something’ s which is not only secure but also has been 
secured Security defines as "the quality or sate of being secure to be free from any danger ’ 
As far as internet security is concerned there are various area where it can be addressed 
like computer security, data security, application security, information security and 
network security etc. Each and every successful company should have the following level 
of security and they are pointed below 11 n - l7, 19 * am,241: 

1 . Physical security which addressed the physical items objects, and the area of company 
from unauthorized access or misuse. 

2. Personal security involves in the protection of the users, clients and individual or group 
of individuals who are unauthorized to access the company and its operations. 

3. Operation security deals w ith the protection of operation of the details of particular 
process or series of activities 

4. Communications security deals with the protection of the company’s media, 
technology, contents etc. 

5. Networks security and information security are one the major security that needed to 
be covered in this papers and are explained clearly. 

Security experts helps to protect their environment as efficient as possible. They primarily 
focus on protecting confidentiality, integrity, and availability (CIA) or say maintaining 
CIA. 

• Confidentiality assure that no data has been exposed to other either intentionally 
or unintentionally, 

• Integrity assure that no changes made in the data by any unauthorized person. Data 
remains the consistent in both internally and externally. 
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• Availability assure the availability of the data and must restrict access to the 
unauthorized person. 

Moreover, the virus is one the basic threats to the security system : 14 A virus may be 
introduced into the system physically when it arrives on a diskette or optical disk and is 
subsequently loaded on to a computer. Viruses may also arrive over an internet In either 
case once the virus is resident into a system, internal security tool are needed to detect and 
recover the system ”. 

3.1.1 What Is Information Security? 

Information is the life blood of the modern world. Each and every person even 
organization possess critical or sensitive information. The word Information security 
described as “ The task of protecting and securing the digital information which is typically 
generated by the computer system like personal computer , smart phones . stored on the 
physical device like hard disk optical disk, flash disk and further can be transmitted over 
the network either on secure or un secure channel. " 

It act as protective layer for our digital data and protect of information .information 
must be protected because it has value. There are there characteristics of the information 
which needed to be protected accordingly. 

• Confidentiality assure that no data has been exposed to other either intentionally 
or unintentionally. 

• Integrity assure that no changes made in the data by any unauthorized person. Data 
remains the consistent in both internally and externally. 

• Availability assure the availability of the data and must restrict access to the 
unauthorized person. 

3.1.2 What is Network Security? 

Network security refers as the protection of the data, information, networking 
components, connections and contents. We can also state a network security is the security 
of the information of the networks system hardware, software, and system data from being 
accidentals or malicious destruction 1,1 The content of the network security also deals with 
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both technical aspect of the problems and the management issues. Network security also 
deals with the different issues depending up on the different environment and they are 
pointed below: 

• Operating system Security. 

• Network information Security. 

• Information dissemination on the Network Security. 

• Network security of the content of the information 

3.2 PROBLEMS STATEMENTS 

If user leaves the system without logging out or locking the system session, an 
intruders can get a golden opportunities to use the system and get access to the resource 
without any problems. Now a days 2 level verification technique is very much common. 
Have you ever lost your smart phone or cell phone? The 2 nd layer verification protocol 
deals with the addition of securities features added to the smartphone or cellular phone 
since the code generated by the system for 2 ml layer verification is send to the mobile device 
and valid for once use within a fix time stamp. In traditional password system, every user 
was assigned with a user id and a passwords. If he/she want to s login he/she has to submit 
id and passwords. Remote server compare the identifier of user and the data of the 
respective table in the database if found correct, it authenticate the user and provide control 
to users and allocate the resource to them The users’ identifiers are stored in the forms of 
plain text in the table of the database. To prevent the stealing of the data hashing is done 
on the table .further is found that hashing is also not very much secure. To overcome on 
the types of problems the concept of 2 level authentication system is developed and that’s 
called One Time Password 18 l5, ,7) . The main problems that we found while reading the 
papers are that, none of the technique is safe to make secure the authentication Either some 
can be broken by brute force attack or some can be broken by dictionary attack Latest 
research Papers published on for the authentication are fully based on Password hardening 
12 , 25,30,35,371 or ( j me legacy of the password. From that algorithm special types of pattern 
arc gets generated and authentication works on the basic on that. If the text and pattern 
matched then only we can able to access the resources I,s| . Generally talking there are 3 
types of identity authentication methods and they are: Identity authentication of something 
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known. Identity Authentication something s possess and last one deals with the personal 
characteristics. On combining above criteria we can able to enhance the security level. 

3.3 METHODOLOGY 

Following are the methodology which has been followed are consist of the following 
and further explained in details in coming chapters: 

1. A literature review. 

2. Research Approach 

3. Data collection. 

4. Data analysis 

5. Testing. 

6. Result and Analysis 

7. Conclusion and discussion 

We have developed two scheme to solve the issues currently being faced by the users 
and fear of loss of integrity confidentialities. Till date each and every' scheme had probably 
deals with the securing the data and credentials during the transmission phase like 
encryption, decryption, hashing etc. but none of the scheme deals with the protection of 
passwords and One time Passwords even if compromised .End to end protection system 
has not been developed till date AVe have worked to protect the users data’s, authentication, 
authorization of resources even if the passwords is compromised. Our main aim to develop 
such algorithms which can protect the system even if passw ord is hacked or compromised 
Let’s say our ids is “ABC” and password is “XYZ” Whenever anybody come to know id 
and Password by any mean he or she can easily logged into the system. This is universal 
system of authentication. But system is deals with the protection even if the passwords 
known by intruders. Using the same identifiers the genuine user can log into the system 
but with the same identifiers the intruder’s failed to log in to the system This is the first 
basic concept of out scheme. Now second phase deals with the OTP protections. We found 
that OTP is not secure at client side. Whenever we initiate the transections of bank or reset 
our ids we receive the SMS containing 4-5digit code that is valid for a fix session and for 
one time .In case if that cosde is compromised the intruders easily can get access. We 
w r orked hard and come to a great solution to secure both of them. We added a time element 
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inside the password to protect even if the password is compromised .It is very much 
efficient since none of the known attack till date can crack it because time element that we 
added in the scheme can’t be traced either in database or during transmission or by 
phishing the passwords. As far as OTP is concerned we have also develop a technique to 
protect the OTP or reset code at client side even if the OTP is compromised. For the 
protection of OTP we added Random logic Table whose gets changed at each iteration. 

3.4 SCOPE OF THE STUDY 

The Study of the research is basically deals with the modification of One Time 
Password and time elements inside the password. In Previous OTP technique, there are a 
lots of Vulnerabilities in the Text based password scheme and OPT. If the OTP is 
accessed by anybody, he/she can easily access the account. The study helps in me 
developing the new pattern which helps in the securing the OTP. OTP is used for resetting 
the account passwords. Authenticating the Transections and many more. OTP or Reset 
code is send to the user Mobile or Email ids and further the action is taken. But what if 
you’re mobile is stolen by some body or mistakenly email id is hacked 0 The intruders can 
easily Reset the passwords or authenticate the transection easily. This is the main 
vulnerabilities of the OTP or Reset Code. Though they are not easily crack to Reply Attack. 
This proves that an intruder who maintain control over an OTP which was used to log into 
a service or to do a transaction will not be able to abuse it, since it will no longer be valid. 
OTPs are very hard to memorize for human beings. So it requires some more additional 
technology to work. The generation of OTP algorithms basically makes the uses of pseudo 
randomness or randomness, making prediction of successor OTPs by an attacker difficult, 
and it also use hash functions, which is further can be used to generate or derive a value 
and are hard to reverse back in the original mode. Therefore difficult for an intruders to get 
the data that was used during Hashing. 

3.5 OBJECTIVE THE STUDY 

With the raise of information level continuously, the importance of information and 
network security growing at high ratio and has reached to the peak point. It has now become 
the national security They have affected the human’ s works, life and even affect the 
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country. Even though, the security regarding the information has not been optimized till 
now. It has been serious issue to safeguard our information and system and networks. 
Effectively protection of critical information and data and safe the system are the major 
task and it should be considered seriously after reading the survey and published research 
papers on OTP and text based passwords authentication scheme, we found none of the 
technique is fully secure. Each and every Algorithms deals with the technique for the 
formation of the OTP till now and securing the passw ord during the transition and at server 
side, but none of the Technique tries to secure the OTP from being hacked and passwords 
being compromised. Though the Hashing function are used to rid of it but the main 
problems is with the code that are send to the email or on the mobile via sms or by phone 
call or any mean Even after Database is accessed by the hacker/ Attackers they won’t able 
to detect the Reset code or OTP since they are in Hash. But the main problems arise at the 
End User side not at the server side so the main works of the study is done to solve the 
problems that are occurs at the users side and protect them we mean client side .The chief 
the judicial of the research is to find the problems which are still on ongoing algorithms 
and to develop more secure algorithms for the protection of the data and system. During 
reviewing the literature 1 have found many problems related to the technique which is 
unsolved and asked by the researcher to work on it. The proposed algorithms which is 
developed taking help from the previous technique and is comparatively more secure and 
hard to crack. The Algorithms deals with the End user side. Attacker can easily divert the 
users to get the OTP / Reset code form them and further they can do whatever they wish. 

3.6 APPLICATIONS 

Researches are basically done in order to solve the issues related to the previous 
problems to find the weakness in already developed scheme and further to make them 
efficient. Followings are the applications and advantages of our new' developed scheme. 

1) Cryptanalysis is about to impossible Time elements that we added can t be traced by 
any attack. Without the addition of that element during authentications user cannot log 
into the system. Even if Passwords transmitted over channel in the form of plain text 
or in the forms of cipher text. The time element is (a, p, 0) remains safe to the user 
which Is back hone of the scheme. Now talking about the second phase, it deals with 
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the secrete keys; one is generated by the system and another can be freely chosen by 
the user and it will acts as the decryption key for the OTP. 

2) It can be used in very complex system where high security matters. Authentication are 
applied in all classes because it is the act of identifying identity. Our scheme can be use 
from low level to high level organization depending upon the needs. It is bit complex 
and hard to memorize by the individuals so low level organization can use our first 
scheme and high level can use both scheme. We can use this scheme in area such as 
nuclear plants, Defense, Banking, Emails System, etc. 

3) There should be two mode in which if die time elements as well password matched , 
interlace will be can be accessed in both mode that s Read and Write mode If just 
password is matched the interface can be accessed only in Read mode and some 
features kept hidden else authentication Failed. 

3.7 LIMITATIONS 

1) Transmission delay may create problems during authentication. 

2) Use of l ime element within the passwords may he increase the complexity of the 
scheme. 

3) User has to remember a lots of no of identifiers like id. password, time element, user 
key. system generated key etc. 

4) In this paper we have covered the security and usability measurement in real time 
sccnario.it doesn't work on non real time environment. 
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CHAPTER 4: PROPOSED ALGORITHM 


There are many schemes proposed and developed to authenticate a genuine user, but 
none of them seems to be efficient and reliable and flexible. Similarly Chang and Wu 
developed a scheme which is called remote password authentication scheme using Chinese 
Remainder Theorem (CRT). It does not store verification password table and protect 
against reply attack. In this scheme user cant chose their passwords and change them freely. 
The main problems with the scheme is that it failed if the passwords are compromised. 

4.1 DESCRIPTIONS 

In this Paper, we first cover the following 10 requirements for evaluating the new 
password authentication scheme. These 10 requirements tries to solve all the problems of 
text based passwords scheme and OTP based password scheme ,l31 . Each of them are 
equally important and independent. 

A1 : The password or verification database table are not stored in the server. 

A2 : The Passwords can be chosen and freely updated by the user. 

A3 : The password cannot be fetched by the admin of the server. 

A4 : The passwords are not transmitted in plain text on network. 

A5 : No one can impersonate a legal user to login the server. 

AG : The scheme must resist the replay attack, guessing attack, modification attack, and 
stolen- verifier attack. 

A7 : The length of a password must be appropriate for memorization. 

A8 : The scheme must be efficient and practical. 

A9 : Intruders can access the system even if password is compromised. 

A10 : Intruders can access the system even if OTP is compromised. 

In addition, our new scheme has been intended to be more efficient to the previous scheme 
in terms of time, storage, utilization, computations complexity. We have proposed 2 
algorithms in this paper and they are pointed below 

1. 4D Password Security Algorithms. 

2. OTP securing at end user side/ client side. 
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4.1.1 ONE WAY HASH FUNCTION ' ,3 - M R| 

A one way hash function state that hi: x >y is a function with the following properties. 

• The function hi takes the message of limited length as the input from the user and 
further produces the message digest of fixed length size as output. 

• The function hi is the one way hash function and further computation output hi (x) 

=y* 

• Computationally x is infeasible to find x’ such that x 1 not equal to x but hi (x’) 
=h(x). 

• To find the any pair of x.x’ such that such that x ; not equal to x but hi (x’ ) h(x). 

4.1.2 Time Element 4D 

There are 3 spatial dimension: x coordinates, y coordinates and z coordinates. They 
can be labeled with the any forms chosen form length, height, depth, width. It also used in 
positing the element in a plane mirror. Later on it is found that one more dimension exist 
in the universe that called time dimension or space time. We have used the concept of space 
time in our scheme to make it more efficient and reliable. Since time is measured but can’t 
be seen it helps us in our project very efficiently for making it more better the previous 
proposed scheme. 


z 



Fig 4.1: 3D Plane 

We have consider the time element for the scheme that are represented by the geek Latin 
word Like a, 0, 0 and so on. This elements store the time (sec) inside the passwords which 
prevents from every types of known attack discovered till now. 
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4.2 4D AUTHENTICATION SCHEME 

Our scheme consist of basically 3 phase. 

• Registration phase. 

• Authentication phase. 

• Password change phase. 

4.2.1 Registration Phase 

This phase deals with the registration or admission of the user to the server with 
required credentials. Once the registration phase completed user is assigned theirs details 
so that further user can authenticate himself to the server within a given time periods. 

4.2.2 Authentication Phase 

This is one the important phase in which users can get the access control or resource 
allocation from the server. During this phase users need to input theirs credentials like user 
id passwords along with the time elements and send request to the server [13, 121 The remote 
server compare the inputs with the stored one form tis database and reply with true to the 
user. After successfully clearing the first phase user need to request to generate the one 
time password from the server. Server further takes the request and generate the one time 
password and encrypt with secrete keys which is generated from the user_id id and 
passwords of the user and send back to user. User need to decrypt the one time passwords 
and need to send back again the decrypted key to server. Remote server again compare 
with the database and return true if matched. 

4.2.3 Password change Phase 

This phase equally important. It deals with the changes made in the users stored 
credentials like passwords. Users are free to change and modify their credentials. No any 
extra efforts are required for this phase. Whenever user changes theirs credentials the 
secretes keys automatically gets changed and further we can conclude that even if the 
system is compromised user can changes theirs credentials with in no time and secure their 
account. 
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So let’s first discuss about AD password authentication scheme. It is have been explained 
briefly describe the basic steps and concepts of 4D authentication in the following points: 

1. User select the user ids and passwords as per theirs requirements. 

2. System ask to insert the timer between the each character of the passwords. (Let 
range from 0-15sec). So that while entering the password, he/she has to input the 
keys of passwords after specific time. 

3. System runs the one-way hash function and hash the identifiers (user id, 
passwords). 

4.3 ONE TIME PASSWORD 

A one time password (OTP) is a kind password which is works for only one session 
or transaction, on system or other electronic digital device 191 . OTPs may be in the forms 
of number or character that are associated with traditional (static) password-based 
authentication. It is implemented for providing the two factor authentication security to the 
user. The most significant advantages of the one-time password is they are not vulnerable 
to reply attack. It is valid for only one session. The main aim of one time password is to 
secure user account if credentials are compromised or hacked by the user [l] . One time 
passwords easily can’t be intercepted by any hacker unless and until the device receiving 
the OPT is not stolen or theft, it danger if device is stolen or email is hacked. It has 
enhanced the traditional authentication password system. 

4.3.1 OTP Generation 

OTP generation algorithms uses pseudo randomness or randomness function which 
is associated with the user’s data It is easy to predict the OTP by looking previous one so 
randomness function is used to prevent it. Some of the OTP generation algorithms are as 
pointed below: 

• HMAC-bascd One-time Password Algorithm 

• Time-based One time Password Algorithm 

We have considered HMAC-based Onetime password Algorithms for our scheme since 
Time- Based One-time password algorithms are vulnerable. They can be captured using 
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the malware if installed on the devices. It can also be read by any person without unlocking 
the devices. 


4.3.2 HM AC Algorithms overview |:<41 

This section explain an algorithm which is used to develop Time -synchronized OTP 
values which is based on SHA-1 hash function and Hash Message Authentication Code 
(HMAC). This is also called HMAC-Based One-Time Password. OTP is generated is fully 
based on HMAC. One-Time Password is no doubt one of the easiest and most popular 
methods of 2- factor authentication that is used for securing access to accounts from hacker 
or unauthorized users. One Time Passwords are often referred to as one of the secure and 
stronger technique of authentication, and can be easily installed across multiple machines 
including home computers, mobile phones etc. When the user login to the system, OTP is 
generated and sent back to the user's e-mail id or mobile phone in the forms of sms. The 
user is then directed to next step to enter the OTP. If the OTP is verified, the user get access 
to system and its resources. 
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Fig 4.2: Daia flow diagram 
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Algorithm Requirements 

XI The algorithm MUST be time synchronized. 

X2 The algorithm SHOULD be economical and easy to implement. 

X3 - The algorithm MUST work efficiently. 

X4 - The value displayed email or sms should be easy to read and entered by the user. For 
this the OTP value should be of flexible length such as a 4-digit or 6 digit value 
X5 - User-friendly environment. 

4.4 ALGORITHMS OF 4D AUTHENTICATION SCHEME AND 
HMAC OTP 

Let consider the user id and Password are ABC, XYZ respectively, cu P, 0 are the 
time storing element (in sec) and are inserted between the XYZ, i.e. aXpYQZp 
(sec) is the total time required to input the password. 

Whenever user input the password XYZ to the system, thought it seems to be right 
but system cannot validate the user because he/she has to wait for a, p, 0 sec before pressing 
the each key of the password and also total no of digit of password with in the p (sec) time 
.In order to get control on system or Resources, the user has to input the key password after 
a, p, 0 sec The proposed Algorithms contains the following basic steps: 

1. Registration Phase. 

2. Login or Authentication Phase (Using UId. Pwd, OTP) 

3. Services Request. 

Notation: The following notation are used though out the paper. 


Tabic 4.1: Notation!) and summary 


1 Notation 

Description j 

U 

User/client 

UlDc 

User Identifiers 

PWD 

User Passwords 
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a, p, e 

Use to store the time element between the keys of passwords 

H 

Total time to input the password in the system. 

H 

Hash functions. 

RMS( l x) 

Remote Servers, Services Servers. 

Ukx 

User Secrete Key. 

Kx(l . x) 

Computer Generated Key. 

U 

Row's and columns value. 

OTP 

One time Password. 

FN 

Any Function. 

T 

Time Factors 

OTPx 

Encrypted OTP 

OTPy 

Decrypted OTP 

TOK 

Token 

OHMK 

OTP generation Algorithm 

U 

User/client 


Here, we have developed algorithms for authentication schema based on 4D (time 
dimension), OTP and random table. Proposed works are listed below. The proposed 
Algorithms that contains the following basic steps; 
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1. Registration Phase. 

2. Login or Authentication Phase (Using UId. Pwd, OTP) 

3. Services Request. 



Fig 4.3: Authentication flow diagram 


4.4.1 Registration Phase 



UIDc. PWD [a. (10| M 


User 

UIDc. PWD la. M|. Ukx, Kx(l .. .x) 

RMS 


4 - 


Fig 4.4: Registration Phase 
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STEP 1: 

- User /client choose UIDc, PVVDc, [a, (3, G] f. i , User secrete key (Ukx) and sends them to 
a Remote server (RMS1) over a secure/unsecure channel. 

- RMS 1 Store the identifiers UIDc and PVVD along with [a, p, 0] fi where PWD= h (PWD) 
(h=hash). 

STEP 2: 

- RMS1 Server Generate Secrete Key Kl; Kl= FN {UIDc, PWD}; 1 digit. 

STEP 3: 

* Store UIDc, h (PWD) [a, p, 0] p, Kl, Ukx (i, j) -> Database. 

STEP 4: 

- Ukx: User Secrete Key; 1 Digit. 

- Send Back the Information to the user i.e (UTDc, PWD, [a, p, 0] p, Ukx, Kx (1 x)) 

Note: Further Kl, and Ukx will act as the Value of the Random table’s rows and column 


Where i=Kl and j=Ukx. 


4.4.2 Authentication Phase 


Send (UIDc. (PWD) [a. p. OJ, p 


Remote 


User 


Server 


Reply (True, False) 

Fig 4.5. Authentication phase. 


Reply = True. 
Then, 

Request (OTP) 


> RMS Generate OTP and encrypt it to OTPx (i, j). 


-User | OTP | * 

-User Decrypt 
OTP to OTPy _ 


Send | OTP | Back to User. 


Send OTPy to RMS. 


If OTPy==OTPx. Return True. 
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Login Success 


STEP 1: 

- Input ULDc, PWDc [a, p, 0] with in p time. 

- Submit to Remote Server. 

- IflJIDc, PWD [a, p, 0] p Found Correct, Server Reply (True), If Incorrect, Failed 

- User request to generate the OTP from Remote Server (RMS). 

- Server Generate OTP Using HMAC Algorithm and Encrypt OTP with the value fetch 
from random table |i, j| and hash it and store in forms of OTPx in Database. 

Server Send OPT back to the User. 

- User Decrypt OTP using the same Random table with (Kl. Ukx) value and form OTPy 

- User Send OTPy to the RMS. 

RMS server compare OTPy with OTPx. 

If Found Correct. 

- Reply Success, Generate a Token (TOK) valid for Time (T) and Authorized Services to 
the user. 

Else Failed to Authenticate 

4.4.3 OTP Generation Phase 

Following are notations used in the OTP generation algorithms 


Table 4.2:.H\1AC Notations 



T 

Key 


Represent the time 

Secrete key shared between client and 
server. 

Output digit value 


Digit 
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4.4.3. 1 Description 1341 

This algorithm is fully based on increment on time value function and a static 
symmetric key known only to client and server. To generate OTP value, a HMAC- SHA 
1 algorithm is used. The result of the HMAC-SHA- 1 is 1 60 bits, so we have to truncate the 
value get the smaller digit. 

OTP (Key, T) = Truncate (ToHex (HMAC-SHA- 1 (Key, T))) 

Where -Truncate function converts the value generated through HMAC-SH A-l to an OTP 
value. 

4.4.3.2 Generation of OTP Value 

The algorithm can be explained in 3 steps: 

Step 1 : Generate the HMAC-SHA-1 value Let 1IMK 1 = HMAC-SHA- 1 (Key. T) // 

HMK1 is a 20- byte string. 

Step 2: Generate a hex code of the HMK. 

HexHMKl=ToHex (HMK1). 

Step 3: Extract the 8-digit or 6-digit OTP value from the string. 

OTP = Truncate (HexHMKl). 

Step 4: 

-Store OTP >Database 

Encrypts OTP with (Kl.Ukx->i.j); OTPx={OTP.(i(kl),j(Ukx)|. 

-Send OTP to the User not OTPx 

4.4.3. 3 Operation 

MessageDigest mdl = MessageDigest ("SHAT) 
mdl. update (Key, T). 

Output = mdl.digest(). 
buf_l = hexDigit ((output » 4) & 0x00- 
Otp=buf_l.toString 0- 
Otp=otp.substring (0, 7). 
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{Key. T} 


i 



Fig 4.6. OTP Mechanism 

Note: Further K1 , Ukx will be the Value of Rows and Column of Random Table Generated 
during the Authentication 

4.4.4 Password Change Phase 

Step 1: 

- Login to the System. 

- Initiate Password Change Interface. 

- Enter Previous (PWD) [a, p, 0] with in p time. 

- Encry pted OTP is generated. 

Decrypt OPT 

- On Valid Decryption, change the (PWD) [a, P, 0] p with new one 
Generate New Kl; Overwrite old Kl. 

* Ukx Remains Same. Send back to the user. 
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Successful User Authentication 


Generate Token TOK for T time 


i 

Authorized Services for T Time for 
Valid Token TOK 


Fig 4.7: Algorithms summary 
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CHAPTER 5: CRYPTANALYSIS 


5.1 CRYPTANALYSIS 

Cryptanalysis is the study of examine information systems in order to study the 
mystic aspects of the systems. Cryptanalysis is used to break cryptographic security 
systems and gain control system and its information, even if the key is not known. In 
mathematical study of the algorithms, it includes the study of channel attacks that do not 
target weaknesses in the cryptographic algorithms themselves, but instead exposed the 
weaknesses in their implementation. Cryptanalysis refers to the study of ciphers, cipher 
text, or cryptosystems (that is, to secret code systems) with a view to finding weaknesses 
in them that will permit retrieval of the plaintext from the cipher text, without necessarily 
knowing the key or the algorithm ,31] . 

5.1.1 Role of Cryptanalyst 

A discipline related to cryptography is cryptanalysis, defined as the methods of 
extracting cipher text. These two streams combined to form the science of cryptology. The 
cryptographer s deals with security for information by making strong cryptosystems, while 
the cryptanalyst’s deals with the weaknesses or flaws in the developed cryptosystems and 
breach the security implemented on that system. Professional cryptanalysts w'ork is to 
perform an important character in evaluating and conforming the strength of 
cryptosystems. In fact, cryptosystems are generally not considered to be more secure until 
and unless they confront remarkable cryptanalysis. Cryptanalysts can use the most 
powerful computing system and a different types of procedures, processes, and techniques 
to start attacks on the system. In fact, a skilled cryptanalyst can even decide plaintext from 
samples of cipher text without even getting the cipher which was used to generate it. 
Cryptanalysis can also be used illegitimately for unlawful gain. Highly trained intruders 
can use cryptanalysis methods as part of their attacks security systems. When properly 
deployed, standard cryptography based security methods can provide sufficient protection 
against a wide range of attacks, inclusive common cryptanalysis methods. However, to get 
highly valuable data, highly trained intruders or trained intelligence agents with use of 
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powerful computing system might have the motive to start expensive and highly advanced 
cryptanalyst attacks. Stopping such advance cryptanalyst attacks requires extremely secure 
systems which use powerful cryptography- based security technologies. 

5.2 OBJECTIVE OF MODERN CRYPTOGRAPHY 

None of computing system of cryptography, called a cryptosystem, can be believed 
to absolutely unbreakable or above compromise. However uncertain a successful attack 
might seem, there are always some surface of the cryptosystem that can be compromised. 
The history of cryptography is full of examples of security that were once included in the 
group of pow erful technique, and yet intruders were able to creak the security of the system 
and compromise theirs credentials Since the cryptographers are not fully aware of all 
kind of attack, they cannot develop and deployed cryptosystems in real life that are assured 
to have no weaknesses or that are impermeable to unforeseeable technique of attack. 
Furthermore, crypto security systems must be successfully deployed the real word, so they 
can be subject to real world limitations, restrictions and constraints. Each and every 
security systems, including cryptography based security, have weak point that can be 
hacked and potentially exposed and exploited. 

The main aim and goal of modern cryptosystems is not to supply complete and perfect 
or risk free security . Rather, the objective of cryptography based security is to secure and 
protect information and the resources by restricting the unauthorized acquisition of the 
information system or tampering with the information which are more costly than the 
potential value that might be obtained. Since the worth of information usually decreases 
over time, better cryptography-based security preserve information until its value is 
potentially less than the cost of illegal seek to get or tamper with the data and information. 
Good cryptography, when perfectly deployed and used, it may secure our information and 
system up to some extent. For example, many latest cryptosystems make it very hard but 
not impossible for an intruders to obtain the keys or passwords. Although the key might be 
eventually decided by a highly skilled person, given more time and effort, cryptosystems 
can still provide high security to protect our worthy information and systems. Intruders can 
feasibly guess the correct decoding key or password, the cost for the intruders would be 
much more than the value of the information which is being secured by the key or 
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password. For well* evaluated, well designed, and analyzed cryptosystems without any 
unknown weakness, the primary protection against any attack is dependent on length of the 
passwords or the secrete key. Cryptosystems having the secrete keys shorter than the 
plaintext are subject to comprehensive search attacks where the intruders tries all possible 
combinations of the secrete key until it found. For large password or secrete keys, a strong 
search for the key basically requires smart and expensive computing device to conduct 
brute force attack , and the attack can take up to thousands or even millions of years to 
complete. Cryptosystems can protected against brute force attacks by simply increasing the 
length of the password or secrete key which is enough to make the implementation of the 
attack computationally infeasible or cost-prohibitive. Another objective of all security 
systems, including cryptography-based security systems, is to secured and protect 
information and the resources at less cost than the value of the information which being 
protected against any attack. A cryptography -based security system must feasible and 
efficient which can provide security at acceptable costs. 

5.3 SECURITY FUNCTIONS OF CRYPTOGRAPHY lll » 

Cryptography is most frequently related with the confidentiality of information and data 
which it provides. However, cryptography provides the following four basic functions: 

5.3.1 Confidentiality 

It helps to assurance that only approved person can read or use confidential 
information. Without confidentiality, anyone with proper network access can use tools to 
eavesdrop on network and capture the valuable information. Intruders who gain illegal 
network access and permissions can steal the information which is stored as plaintext or 
transmitted over channel. In order to prevent. Systems use methods and mechanisms to 
protect the information confidentiality. So the technique of encryption is used to prevent 
confidentiality. 

5.3.2 Authentication 

It is necessary to verify the identity of the entities which exchange the data over the 
network. Without authentication mechanism, anyone having network access can use 
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required available tools to forge Internet Protocol (IP) addresses and mimics others. 
Therefore, Systems use various methods and mechanisms to authenticate both the user and 
server who receive the information. 

5.3.3 Integrity 

It verify that the original structure of information have not been corrupted, tempered 
or altered. Without integrity, anyone may c hange the information or information become 
corrupted, and further the alteration could remain undetected. So in order to prevent many 
Systems use methods and mechanisms to verify the integrity of information. Digital 
signature is one of the best for it. 

5.3.4 Nonrepudiation 

It assurance that a party during communication cannot deny that a part of the actual 
communication happened. Without nonrepudiation, anyone can communicate and then 
later either may deny the communications fully or claim that it might have happened at a 
different time. To provide facilities, systems must produce the evidence of proof of 
communications and transactions that happened, so that involved person cannot easily 
refuse it 1241 . 

5.4 BRUTE FORCE ATTACK ON PREVIOUS SCHEME 161 

How long will your password stand up? This the main question which can arise in 
our minds. As w f e have proposed two algorithms so we need to first discuss about the 
possible attack on the 4d scheme. Before moving forward we need to have a look out the 
passwords recovery speeds. Below following tables describe about it. 

Classes of Password per Sec Brute force Attack 

Class A. 10,000 Passwords/sec 

Typical for recovery of Microsoft Office passwords on a Pentium 100 

Class B. 100,000 Passwords/sec 

Typical for recovery of Windows Password Cache (.PWL Files) passwords on a Pentium 
100 
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Class C. 1,000,000 Passwoi ds/scc 

Typical for recovery of ZIP or ARJ passwords on a Pentium 100 

Class D. 10,000,000 Passwords/sec 
Fast PC, Dual Processor PC. 

Class E. 100,000,000 Passwords/sec 
Workstation, or multiple PC’s working together. 

Class F. 1,000,000,000 Passwords/sec. 

5.4.1 Brute - Force 10 Character Length 

Numerals 0123456789 


Table 5.1.: Brute force 10 Character numeric pu!>swoid brute force. 



Password 

Class of 

Attack 





Length 

Combinations 

Class A 

Class B 

Class C 

Class D 

Class E 

Class F 

2 

100 

Instant 

Instant 

Instant 

Instant 

Instant 

Instant 

3 

1000 

Instant 

Instant 

Instant 

Instant 

Instant 

Instant 

4 

10,000 

10 sec 

Instant 

Instant 

Instant 

Instant 

Instant 

5 

1 Million 

j 1/2 

minutes 

10 sec 

Instant 

Instant 

Instant 

Instant 

6 

10 Million 

17 

minutes 

l" 2 

minutes 

1 ,/2 

minutes 

Instant 

Instant 

Instant 

7 

100 Million 

2 % 
hours 

17 

minutes 

11/2 

minutes 

10 sec 

Instant 

Instant 

8 

1000 Million 

28 hours 

2 % 
hours 

17 

minutes 

w 

minutes 

10 sec 

Instant 
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5.4.2 Brute Force 26 Character Length. Either upper or lowercase. 


Upper Case Alpha 

ABCDEFGHIJKLMNOPQRSTUVWXYZ 

Lower Case Alpha 

Abcdefghijklmnopqrstuvwxyz 


Table 5.2: Brute Force 26 Character length Brute force 



Password 

Class 

of 

Attack 





Length 

Combinations 

Class A 

Class B 

Class C 

Class D 

Class E 

Class F 

2 

676 

Inst 

Insta 

Instant 

Instant 

Instant 

Instant 



ant 

nt 





3 

17,576 

< 2 

Insta 

Instant 

Instant 

Instant 

Instant 



Sec 

nt 





4 

456,976 

46 

5 

Instant 

Instant 

Instant 

Instant 



Sec 

Sec 





5 

11.8 

20 

2 

12 Sec 

Instant 

Instant 

Instant 


Million 

Min 

Min 





6 

308.9 


51 Va 

5 Min 

30 Sec 

3 sec 

Instant 


Million 

Hou 

Min 







rs 






7 

8 Billion 

9 

22 

2Va 

13 Min 

1 Va min 

8 sec 



Day 

Hou 

Hour's 






s 

rs 





8 

200 Billion 

242 

24 

2V2 

348 

35 Min 

3 Vi 



Day 

Day 

Days 

Min 


Min 



s 

s 





9 

5.4 Trillion 

17 

21 

63 

6 Va 

15 

1 Vz 



Yea 

Mon 

Days 

days 

Hours 

Hours 



rs 

ths 
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10 

141 

447 

45 

4'/2 

163 

16 days 

39 '/4 


Trillion 

Yea 

Year 

Years 

days 


Hours 



rs 

s 





12 

95 

302. 

30.260 

3.026 

302 

30 Years 

3 Years 


Quadrillion 

603 

Years 

Years 

Years 





Yea 








rs 






15 

1.6 

53 

532 

53 

5 

531855 

53185 


Sextillion 

Trillion 

Million 

Million 

Million 

Years 

Years 



Years 

years 

Years 

Years 



20 

19.9 

63 

6.3Qua 

631Qu 

631 

6.3 

631 


Octillion 

Qua 

drillin 

adrillio 

Trillion 

Trillion 

Billion 



drill 

Years 

n 

Years 

Years 

Years 



ion 


Years 





Yea 


rs 


5.4.3 Brute -Force 36 Character length. Either upper or lower pulse numbers 

Table 5.3: Brute Force on 36 character length 



Password 

Class 

of 

Attac 

k 




Length 

Combinations 

Class 

Class 

Class 

Class Class E 

Class F 



A 

B 

C 

D 


2 

1296 

Ins 

Inst 

Insta 

Insta n Instant 

Instant 



tan 

ant 

nt 

t 



t 
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3 

46,656 

4 Inst 

Sec ant 

Insta 

nt 

Instan 

t 

Instant 

lastant 

4 

1.6 Million 

2 Vi 16 

mi sec 

n 

1 Vi 
sec 

Instan 

t 

Instant 

Instant 

5 

60.4 Million 

1 Vi 10 

Ho min 

urs 

1 min 

Instan 

t 

Instant 

Instant 


5.4.4 Brule -Force 52 Character length 

Mixed AaBbCcDdEeFfGgHhliJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYxZz 
Alpha 


Table 5.4: Brute Force on 52 character length. 



Password 

Class 

of 

Attack 





Length 

Combinations 

Class A 

Class B 

Class 

C 

Class D 

Class E 

Class F 

2 

Instant 

Instant 

Instant 

Instan 

t 

Instant 

Instant 

Instant 

3 

140,608 

14 Sec 

< 2 Sec 

Instan 

t 

Instant 

Instant 

Instant 

4 

7.3 Million 

12 Vi 
Min 

1 V4 Min 

8 Sec 

Instant 

Instant 

Instant 
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5 

380 Million 

1016 

Hours 

1 Hour 

6 

Minut 

es 

38 Sec 

4 Sec 

Instant 

6 

19 Billion 

23 

2V i 

5 Yz 

33 Min 

3% Min 

19 Sec 



Days 

Days 

Hours 




7 

1 Trillion 

3V4 

119 

12 

28 ¥t 

3 Hours 

17 Min 



Years 

Days 

Days 

Hours 



8 

53 Trillion 

16916 

17 

Vh 

62 

6 Days 

15 Hours 



Years 

Years 

Years 

Days 



9 

2.7 

8.815 

881 

88 

9 Years 

322 

32 Days 


Quadrillion 

Years 

Years 

Years 


Days 



5.4.5 Brute -Force 62 Character length. Mixed upper, lower and numbers 

Mixed 01 23456789 AaBbCcDdEeFfGgHhliJjKkLlMmNnOoPpQqRrSsTtUuVvW 
Alpha wXxYxZz 


Table 5.5: Brute Force on 62 character length. 



Password 

Class of 

Attack 





Length 

Combinations 

Class A 

Class B 

Class 

Class 

Class 

Class F 





C 

D 

E 


2 

3.844 

Instant 

Instant 

Instant 

Instant 

Instant 

Instant 

3 

238.328 

23 Sec 

< 3 Sec 

Instant 

Instant 

Instant 

Instant 
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4 

15 Million 

24$ Min 

2Vz Min 

15 Sec 

< 2 Instant 

Sec 

Instant 

5 

916 Million 

l Day 

2Vz 

1 514 

IVi 9 See 

Instant 




Hours 

Min 

Min 


6 

57 Billion 

66 Days 

6^2 

16 

\Vz 

56 Sec 




Days 

Hours 

Hours Min 


7 

3.5 Trillion 

1 1 Years 

1 Year 

41 

4 Days 10 

58 Min 





Days 

Hours 


8 

218 Trillion 

692 

69 ‘4 

7 

253 25V 4 

60 Vi 



Years 

Years 

Years 

Days Days 

Hours 


5.4.6 Brute -Force 86 Character length. Mixed upper, lower and numbers 

Mixed Alpha AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYxZz< 
and Symbol SP>r#$%&'0*+. -V::<=>?@[\] A J{|}~ 


Table 5.6 Brute -Force 86 Character length 



Password 

Class of 

Attack 





Length 

Combinations 

Class A 

Class B 

Class C 

Class 

Class E 

Class F 






D 



2 

7.396 

Instant 

Instant 

Instant 

Instant 

Instant 

Instant 

8 

2.9 Quadrillion 

9,488 

948 

94 Years 

57 

346 

34 



Years 

Years 


Years 

Days 

Days 
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5.4.7 Brute -Force 94 Character length. Mixed upper, lower, numbers and symbol 


Mixed Alpha Number AaBbCcDdEeFfCgHhTiJjKkLlMniNnOoPpQqRrSsTtUuVvWwX 
and Symbol xYxZz<SP>l M #S%& , ()*+,-./:;<=>?@[\l A J{|}‘0123456789 


Table 5.7 Brute -Force 94 Character length 



Password 

Class 

of 

Attack 





Length 

Combinations 

Class A 

Class B 

Class C 

Class D 

Class E 

Class F 

2 

9.216 

Instant 

Instant 

Instant 

Instant 

Instant 

Instant 

3 

884.736 

SSVz 

9 Sec 

Instant 

Instant 

Instant 

Instant 



Sec 






4 

85 Million 

Vk 

14 Min 

1 Vz Min 

8 V 2 Sec 

Instant 

Instant 



Hours 






5 

8 Billion 

m 

22Vz 

2Va 

\3Vz 

U /4 Min 

8 Sec 



Days 

Hours 

Hours 

Min 



6 

782 Billion 

2 % 

90 Days 

9 Days 

22 

2 Hours 

13 Min 



Years 



Hours 



7 

75 Trillion 

238 

24 Years 

2 Vi 

87 Days 

m 

20 



Years 


Years 


Days 

Hours 

8 

7.2 

22,875 

2,287 

229 

23 Years 

2Va 

83 


Quadrillion 

Years 

Years 

Years 


Years 

Days 
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5.5 BRUTE FORCE ATTACK ON OUR SCHEME 

In tliis section we will discuss the probability of cracking the password using the 
brute-force attack within given time interval between time tl to oo. 


i — i \ 1 \ 

tl t2 t2 t3 t3 00 

I 

tl 

Fig 5.1: Time Sequences 

1 . The First parts deals between with the time between tl to t2 for brute forcing. 

2. The Second parts deals between with the time between t2 to t3 for brute forcing. 

3. The third parts deals between with the time between t3 to oo for brute forcing. 

4. And the Last Part deals between with the times between tl to oo for brute 
forcing. 

Conditions: 

• If Passwords enters between the time tl to <t2. It will be invalid even if the input 
password is correct or incorrect doesn't matter because time between the tl to <t2 
is equal to a and we cannot input the password with in a time. 

• If password is input between the t3 to oo time, again it will be invalid either the 
inpul password is correct or incorrect since it will greater then p. 

• If the password enter between tl to qo time, again it will be invalid even input 
password is correct. Since time between tl to oo is greater than p. 

• If the correct password enters between t2 to <t3 along with [a, P, 0], it will be valid 
since the time between t2 to <t3 is equal to p. 
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5.5.1 Probability Graph 


Probability 



Time (0 «*» ) 


Fig 5.2: Probability Graph of brute force on prev ious scheme 


Probability (01) 


0 


I 


«2 13 

Time (flw) 


Fig 5.3: Probability Graph of brute force on our scheme. 


From Fig 5.2 we can conclude that it is possible to get the password from time tl to 
oo through brute force attack. Fig 5.3 show our scheme and it proves that brute force can 
only be apply on the system within time t2 to <t3 If time exceeds, system can't be access 
even if possible combination is found to correct because it exceeds the threshold value of 
p.At the mean time only lpasswrdcombnation/per sec can be entered into the system 
because if more than one combination of password is entered into system for cracking it 
will be invalid again since for each iteration there is a timer of u sec at starting so system 
has to wait for a time to enter a new combination of password. 


JAIKISHAN KUMAR 




5.5.2 Time Calculation required for Brute force attack on our scheme 

Let s calculate the time required to crack the password mathematically. We know 
that there are total 94 alpha numeric symbol keys i.e. 
0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz<SP 

>! ,, #$%&'() * +,./:;<=>? @ [\| A _‘ { |} - 

We have taken the combinations of 1 to 5 digit s from the above alpha numeric symbols 
and characters and calculated the time requirements for brute forcing 
Let the time elements be a, p, 0 , 5, \j / and consider the value of this time elements ranges 
from Osec to 15sec where is 15sec is threshold value .The new 5 digit password could be 
written as : 

oApB0C6DipE (ABCDE is 5 digit password |. 

For 0 sec, we will get the following combination of password. 


aOA POB 00c 60D i|/0E I 

For 1 sec, we will get the following combination 

al A plB 01c 61D ylE 2 

Similarly for 15 sec. we will get the following combination. 
a!5A pi 5B 015C 515D \|/15E 3 


p=It is time (in sec) in which the passwords should be entered by the user in the system 
otherwise authentication will be invalid. 

Case 1 For 1 digit [al A] to [a 1 5 A] and a=l sec to 15sec respectively. 

For a=lsec, 

It has been observed that if the password is of one digit then there will total 94 combinations 
and latest super computer can break it even less than a sec. 

Our scheme on 1 sec delay [a I A]: 94sec+94( Possible combination) Any computer can take 
up to min 94p sec and max 188sec to crack it. i.e. 1.56 p minutes to 3.133 p minutes. So 
efficiency of our scheme is increased by 940% to 18800% just for single digit password 
with delay of 1 sec only. If the delay will of a =15sec i .e [a 15 A] then it will take approx. 
25minutes to crack it. 
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Case 2. For 2 digit [alA (3 IB] to [al5A [315B] with a=l sec, P^l sec to 15sec respectively. 
Total no of combinations = 3844 

Latest super computer can break it even less than a sec at the speed of 10 A 9 
password/parsec. 

Our scheme for I sec delay [a I A pi B] 

Min :(( 94*1) + (94*1))*3844 p sec=8.36 p days. 

Max :(( 94*1+94) + (94* 1+94)) "3844 p sec=16.72 p days 

For 15 sec: [a!5A pi5B] 

Min: ((94*15) + (94*15))*3844 p sec=125.463 p days 
Max: ((94*15+94) + (94*15+94))*3844 p sec=133.828l p 

Case 3: For 5 digit [a I A P 1 B 0 1 C 5 1 D vj/ 1 E] to [a!5A pl5B 015C 61 5D ip 1 5E] with a=l 
sec, p=l, 0=1, 5=1, \\r=\ sec to 15 sec respectively 
Total Combination: 8 Billion. 

Latest Computer can break in 8 sec with the speed of 10 A 10passwrod/parsec. 

Our Scheme for lsec delay: [al A pi B 01C SID \|/1L] 

Min: ((94* 1) + (94*1) + (94* 1) + (94* 1) + (94* 1))*8* 10 A 9 p sec = 1 19228.81 7859 p year. 
Max: ((94*1+94) + (94*1+94) + (94*1+94) + (94*1+94) + (94*1+94))*8*10 A 9 p sec 
=238457.635718 p years. 

Similar for 15 sec delay for in each word [al5A p 1 5B 01 5C 515D vp 1 5E | . 

Min: ((94*15) + (94*15) + (94*15) + (94*15) + (94*15))*8*10 A 9 p sec= 1788432.26788 
p years 

Max: ((94*15+94) + (94*15+94) + (94*15+94) + (94*15+94) + (94*15+94))*8*10 A 9 p 
sec=l 907661. 0857 p years. 
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Case 4: For 8 digit [alA (31B 01C 51D \j/lE ftltf <Mz yl@] to [al5A P15B 015C 515D 
vj/15E Q15# <I>15z yl5@] with a=l sec, (3=1, 0=1, 5=1, y=l, Q=l, <1>=1, y=l sec to 15sec 
respectively. 

Total Combination: 7.2 Quadrillion 

Latest Computer can break in 83 1 2 days with the speed of 10 A 10passwrod/parsec. 

Our Scheme for lsec delay: [al A plB 01C 81D \|/1E Ql# Olz y 1@|. 

Min: ((94^1) + (94*1) + (94*1) + (94*1) + (94*1) + (94*1) + (94*1) + (94*1))*8*10 A 9 p 
sec =190766.1085 p year. 

Max: ((94*1+94) + (94*1+94) + (94*1+94) + (94*1+94) + (94*1+94) + (94*1+94) + 
(94*1+94) + (94*1+94))*8*10 A 9 p sec =381532.217p years. 

Similar for 15sec delay for in each word [a!5A pl5B 015C 51 5D yI5E Q15# <!>15z 
yi5@l 

Min: ((94*15) + (94*15) + (94*15) + (94*15) + (94*15+ (94*15) + (94*15) + 
(94*15)) *8*10^9 p sec=2861491.6286p years 

Max: ((94*15+94) + (94*15+94) + (94*15+94) + (94*15+94) + (94*15+94) + (94*15+94) 
+ (94*15+94) + (94*15+94))*8*10 A 9p sec=3052257.737l892p years. 

Conclusion: Even for Cracking 5 Digit Password with our proposed Scheme it takes about 
(17*10 A 5 p) years at the delay of 1 sec between the each digit of passwords. 

Reply Attack: It is possible to capture the password in the reply attack and send back to the 
server after some time but again the system will not authentication the resources because 
in reply attack intruders can only capture the passwords but the time elements. So we can 
say that Reply attack on our scheme is quite impossible. 

Phishing Attack: It is also not possible on our scheme. Intruders can only able get 
passwords but not the time elements and without the time elements authentication will be 
unsuccessful. Further we can say that Social Engineering is not possible our scheme. 
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5.5.3 Brute force attack on One Time Password of our scheme 

We recommend setting a throttling specification T, which states the maximum 
number of possible brute force attack for One Time Password. The remote server handle 
the individual table per HOTP device in order log any failed attempt. We recommend the 
size of T should be as low as possible. Another option can be to deploy a delay mechanism 
to avoid a brute force attack. Another option can be to deploy a delay mechanism to avoid 
a brute force attack. After each try Al. the remote server should wait for an increased 
T*A1 number of sec, e.g., let T = 10, and after 1 try, the remote server should waits for 6 
seconds, at the second failed attempt, it waits for 10*2 = 10 seconds, etc. The delay or 
lockout methods must implemented across the login sessions to prevent attacks which is 
based on multiple parallel guessing technique. 

We have proposed efficient method to get rid of brute force attack on our scheme for 
One Time Password. During each request of one time password a new key is generated 
from the table, a random table and that secrete key is use to decrypt the One Time 
Passwords for each login attempts or initiate the transition.Random Table produces 9X9 
Matrix with 81 numbers. Each time the value of the matrix gets changes since it is random 
in nature .From that matrix, user needs to fetch the value (i j) and computer the OPTy with 
the help of OTP which was send from the RMS and send it back to the server for the 
verifications. After receiving the OTPy at RMS end. RMS compare the OTPy with OTPx 
and return true if OTPy=OTPx. So whenever any intruders gets the OTP or able to Access 
tiie OTP he/she cannot able to produce OTPy because he/she don’t know the value of ij . 
Further same technique can be implemented on the Reset code too. Thus this scheme 
proved be a very much secure and safe in the protection of OTP at client side. 
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9X9 Matrix Table 

Table 5.8: Random matrix table 




2 

3 

4 

5 

6 

7 

8 


1 

A1 

A2 

A3 

A4 

A5 

A6 

A7 

A8 

A9 

2 

A10 

All 

A12 

A13 

A14 

A15 

A16 

A17 

A18 

3 

A19 

A20 

A21 

A22 

A23 

A24 

A25 

A26 

A27 

4 

A28 

A29 

A30 

A31 

A32 

A33 

A3. 

A35 

A36 

5 

A37 

A38 

A39 

A40 

A41 

A42 

A43 

A44 

A45 

6 

A46 

A47 

A48 

A49 

A50 

A51 

A52 

A53 

A54 

7 

A55 

A56 

A57 

A58 

A59 

A60 

A61 

A62 

A63 

8 

A64 

A65 

A66 

A67 

A68 

A69 

4,0 

A71 

A72 

9 

A73 

A74 

A75 

A76 

A77 

A78 

A79 

A80 

A81 


The value of table get changed each time whenever the OTP request is done by user 
to the remote server. Let the user keys are x-7 and y-8 the respective value is (decryption 
key) A70 say 3. If' user request new OTP the value of A70 gets changed automatically may 
become 9. It Proves that OTP secure at Client side. Even after shoulder attack. The 
Probability of getting decryption key from the table is 1/81 for each iteration. 
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5.5.4 Comparison of our scheme with previous scheme 


Tabic 5.9: Comparison tabic 



A1 

A2 

A3 

A4 

A5 

A6 

A7 

A8 

A9 

A10 

Our 

Scheme 

N 

Y 

Y 

N 

Y 

Y 

Y 

Y 

N 

N 


N 

N 

N 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

Jan- 

Chen[33] 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

N 

Y 

Y 

Yang- 

Shich|32] 

Y 

Y 

N 

Y 

N 

N 

Y 

N 

Y 

Y 

Sun|27] 

N 

N 

N 

Y 

Y 

Y 

N 

Y 

Y 

Y 

Hwang- 

li|22] 

N 

N 

N 

Y 

N 

N 

N 

N 

Y 

Y 

Liao| 13| 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

Y 

Y 


Y: For Supported N: For Not Supported 
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CHAPTER 6: RESULTS AND DISCUSSION 


6.1 IMPLEMENTATIONS 

It is the process of deploying algorithms or decision or plan into execution or effect. 
We have implemented our proposed algorithms in C compiler (Dev. C and Codec 
Block). It’s totally CU1 based and we simulated our proposed scheme successfully. 

Following are the Codec Block C compiler configuration details: 

• For Codec Block Compiler. 

Features 

Version: 16.01 

Cross -platform .Runs on Linux, Mac, Windows. 

Written in C++. No interpreted Languages or proprietary libs needed. 

Extensible through plugins Execution. 

Supports 

Ccc (MingW/GNU GCC 
MSVC++ 

Clang 

Digital Mars 
Borland C++ 5.5 
Open Watcom 

• Very fast custom build system (no make files needed) 

• Support for parallel builds (utilizing your CPU s extra cores) 

• Multi target projects 

• Workspaces to combine multiple projects 

• Inter- project dependencies inside workspace 

• Imports MSVC projects and workspaces (NOTE: assembly code not supported yet) 

• Imports Dev. -C++ projects 


JAIKISHAN KUMAR 


5 

9 



Highlights: 


• Open Source! GPLv3. no hidden costs. 

• Cross platform. Runs on Linux. Mac, Windows (uses wx Widgets). 

• Written in C++. No interpreted languages or proprietary libs needed. 

• Extensible through plugins 

Compiler: 

• Multiple compiler support; 

o GCC (MingW / GNU CCC) 

O MSVC++ 
o clang 
o Digital Mars 
o Borland C++ 5.5 
o Open Watcom 
o ...and more 

• Very fast custom build system (no make Tiles needed) 

• Support for parallel builds (utilizing your CPU’s extra cores) 

• Multi target projects 

• Workspaces to combine multiple projects 

• Inter-project dependencies inside workspace 

• Imports MSVC projects and workspaces (NOTE: assembly code not supported yet) 

• Imports Dev-C++ projects 

Debugger: 

• Interfaces GNU GDB 

• Also supports MS CDB (not fully featured) 

Full breakpoints support: 

o Code breakpoints 


JAIKISHAN KUMAR 


6 

0 



o Data breakpoints (read, write and read/write) 
o Breakpoint conditions (break only when an expression is true) 
o Breakpoint ignore counts (break only after certain number of hits) 

• Display local function symbols and arguments 

• User-defined watches (support for watching user-defined types through scripting) 

• Call stack 

• Disassembly 

• Custom memory dump 

• Switch between threads 

• View CPU registers 

Interface: 

• Syntax highlighting, customizable and extensible 

• Code folding for C, C++, FORTRAN. XML and many more files. 

• Tabbed interface 

• Code completion 

• Class Browser 

• Smart indent 

• One key swap between .h and c/.cpp files 

• Open files list for quick switching between files (optional) 

• External customizable "Tools" 

• To-do list management w'ith different users 

6.2 OUTPUT 

The output of the scheme is divided into 2 section. I s1 section deals with 4D 
Authentication output result and 2nd section deals with OTP authentication. 
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6.2.1 41) Authentication Test Output and Results 

Inputs are as follow: 

Table 6.1: User Input Details 


Users 

Details 

User ID: 

Abe 

Password: 

Xyz 

a: 

5 sec (Act as hold time at initials position) 

M: 

1 5sec.( Act as the total time required to input the credentials) 


Table 6.2: Output Generated by Compiler for the user 

Users 

Details 

User ID: 

Abe 

Password: 

Xyz 

a: 

5 sec (Act as bold time at initials position) 

P* 

15sec. ( Act as the total time required to input the credentials ) 

dj): 

(7,7) Computer generated user secrete key 
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fll implement 12 c - Coder Bloc Irs 1CHS 

Filt Edit Vie* Seaccti Project Build Oebug *x$mith Tods Plugins Settings Help 



Fig 6.1: Compiler Output Screenshot 


Case 1 : If wrong userid and password are entered into the system 


Output: Data not matched 


Please note down rour information 

i.e l.user id ,2. Password ,3.aa».keyl ,4.Ran.key2 

UID tabc 

ph© «*yx 

Ra«_value(x) t7 Coluenvelue(y) t7 

vour Time value of Passphase > 13 

Storing Data wait for 10 Atleest see 

welcome to Authentication Phase 
enter uxoiabc 
enter PWDtxyxesd 

Checking the credentials 
Oat a wot watched 

Process returned IV (0x13) execution time : 24.27* s 
Press any key to continue. 


22 

1 int ukeya); 

2* 

1 int pkey«4. 


Fig 6.2: Compiler output screen if data wrong data entered 
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Case 2: If correct user id and password entered with in p time but value of a exceeds. 


Output: Un-Success 



I i; xnt ukay*3 i 

Z3 int pk«y>t. 

.ocs h othm 


Fig 6.3. a checking 


Case 3: If correct user id and password entered which exceeds p time 
Output: Credentials Matched but 4D checking un success. 

dH iplrrrwt 1? < -ir f nr In i ) 

File Edit View* Search Project Build Debug .vt Smith Tools Plugins Settings Help: 

lit AJ ' “ _ 

"E:\LPU DocjXMTEO^FImI S.mesfef 201fivDesf.it— ion fin. — □ 


, 4 . Han , k»» I 



-•It fo» 58 tt l«»St J« 


W»1 c vmm to iuthvnticftioi • 
Enter i/XOiabc 
antar PMDiAyt 

Clicking tha credentials 
credentials c ned . 

Ct'OCtrl'i* fc»- XO 


Please Check the Credent s mix 
P'Mtti r»t«r fl »8 fi (9Kir) U«8 > U.U3 S 

Press mnf key to continue. 


TT 


Fig 6.4: p checking 
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Case 4: If correct userid and password are entered within p time following a 


Output: 4D Authentication Success and OTP ( 9959 ) and Random table is generated 
for 2 nd phase of Authentication. 


j • 'E:\LPU C 


*E;\LPUDocs\MTECH'vFinatSem<5tef 2016\De55«tJtionfmal\jaikishdn work2.» - □ X 









Credential* Hatched . 







please psoceoo to o« 

Tine 

PASSWORD 





Cne rise Password 







9 9 5 

9 






Please Decrypt the ctp 

fro* the table 

t 




28 U • 

87 

69 

86 

72 

21 

97 

8? «9 M 

72 

21 

97 

71 

33 

65 

72 21 97 

71 

33 

65 

15 

93 

76 

71 33 59 

13 

93 

76 

66 

7 

98 

15 93 78 

46 

7 

98 

37 

6 

49 

66 7 »e 

37 

8 

49 

2 

92 

94 

37 S 49 

2 

92 

94 

69 

26 

95 

2 91 94 

«» 

29 

95 

58 

26 

75 

69 26 95 

» 

26 

75 

60 

74 

76 


22 Int ukey*3; 


Fig 6.5: 4D Success and OTP and Random table Generated 

Case 4: If Computer Generated OTP is 9959 entered. 

Output: Error Try Again. 

• ‘ “C:\LPU DocsSMTTCWvFinel Semester 20 16\ Denotation finah jailrishan work 2-. — □ X 


i«ter t*e d»c,iwii opt • »m 
use* tvrrw) 

} • » * 



■ • returned 44 <**5C) ••ecution Mm • Mi. 878 • 

any (cay to continue. 


Fig 6.6: Computer Generated OTP entered 
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Case 5: If Decrypted OTP Entered with the key (ij) Value i.e. 7.7 Fig[6.1].Table[6.1] 


Output: OTP Verification successful. Login Successful 



Fig 6.7: Computer Generated OTP entered 


Note: Since the OTP is in dynamic Nature it gets changes in next time and it becomes 2197 
and Value fetched from the table is 69 at 7. 7. OTP is decrypted with 69 and send to RMS 
verifications. 
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Case 6: Brute-Force At delay of 1 sec on 1 digit Password. 


Output: Success in but in 28sec 


• -fcUPU Docj'MTECKTtfi^ Semester 2Q1&Deoflrtat>QA f*ta_ - □ XI ■ *CMPU Ooc^WnCW 1 final 2016’Denwtitcnfini... - □ 






V 

lunduB value 
• naten not found at u 
ItanooB valua 



t natm net found at 57 
Idandso fait* 

Rl VBlu* 


I* natch not found at it 

t «atrh net found »t \ 


hartooo value 

sarao* value 


h natch not found at id 

f notch He*. 'mK at a 


•andaa value 

Str>* Value 


It natch not found at 29 

3 natch net found at J 


•anoaa fall* 

R*4M Vllu* 


a natch not found a*. :e 

a natch not found at a 


tanooB value 

Barooe value 


lr natch not found at V 

( natch Not found at 9 


It ansae valu* 

Rirooo valua 


u natch not found at J» 

s natch Net found at a 


tanooa value 

srae* train* 
a natch net found at 7 


Lnatch found at i 



total fiat Caasuntd :s 

fnxt*i returned # ewutioo tteu i 13.H7 j 

feast an, key to continue. 


Fig 6.8: Brule Force attack on 1 digit password at 1 sec delay 


Note: Even latest super computer requires min 28sec to break it. Since the CPU 
Processing is made limited through this Algorithms. 
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CHAPTER 7: CONCLUSION AND FUTURE SCOPE 


7.1 CONCLUSION 

In this paper, we have proposed a new 4D authentication scheme and enhancement 
of OTP for database security. We have taken ten requirements for evaluating our new 4D 
password authentication enchantments of OTP for database security scheme. We found 
that our new scheme is far better (ban previous one. 

Following are the advantages of our new scheme. 

1 . User are free to choose their ids and passwords and even their passwords at will. 

2. Whenever passwords gets changed, system automatically change the keys (ij). 

3. It has one time password property and it is secure at both side. Client and server 
side. 

4. It can withstand the guessing attack, brute force attack, reply attack. 

5. It can also withstand on even passwords or OTP is compromised or hacked. 

7.2 FUTURE WORK 

Our scheme has a lots of identifiers like time elements, secrete keys etc. By which 
users gets hard to memorize all the identifiers for the authentication so it adds little 
complexity to our proposed scheme. Future work can be done in the following ways: 

1 . By reducing the number of identifiers. 

2. By making time elements more efficient and dynamic. 

3. Scheme works on real time environments. Delay in transmission of data may result 
a failure. 
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